Summary To gap-analyse your cloud service against the proposed Cloud and AI Development Act (CADA), you must map your current technical, legal, and organisational controls against the cumulative criteria set out in Annex II for your target Union assurance level. Under Article 16, providers must meet these criteria to be recognised for public sector contracts. Crucially, criteria are cumulative: failure to meet any single requirement at a lower level precludes conformity at higher levels. This gap analysis defines the scope of your conformity self-assessment for Union assurance level 1 (Article 19) or your independent third-party audit for levels 2, 3, and 4 (Article 20).

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four Union assurance levels. Article 16(1) explicitly states that this framework consists of four levels, the criteria for which are set out in Annex II, which cloud computing service providers must meet to provide services to Union entities and public sector bodies.

A gap analysis is the foundational step in determining whether your service currently meets these criteria or what changes are required to achieve recognition. Because the criteria are cumulative, a provider seeking Level 3 must first satisfy all Level 1 and Level 2 criteria. As Article 20(1) notes, "Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

Step 1: Determine Your Target Assurance Level

Before mapping controls, you must identify which Union assurance level (1, 2, 3, or 4) your service aims to achieve. This is not a self-declared status but a formal recognition process. As proposed, Union entities and public sector bodies will determine the required level through risk assessments under Article 29. However, providers must proactively align with these expectations to remain competitive.

  • Union Assurance Level 1: Requires a conformity self-assessment and an EU statement of conformity (Article 19). No independent audit is required.
  • Union Assurance Levels 2, 3, and 4: Require independent third-party audits by an auditing organisation (Article 20).

Your gap analysis must be rigorous enough to support the evidence requirements for the specific level you target. Higher levels impose stricter cumulative criteria, particularly regarding personnel citizenship, third-country control, and cybersecurity certification.

Step 2: Map Controls to Cumulative Criteria in Annex II

Annex II sets out the criteria to be met by cloud computing service providers for each level. You must systematically map your existing controls to each criterion in Annex II for your target level. Below is a breakdown of the key criteria you must address in your gap analysis, highlighting the specific "gaps" that often trip up providers.

Union Assurance Level 1 Criteria (Annex II, Section 1)

For Level 1, you must demonstrate compliance with the following cumulative criteria. Note that while infrastructure and data must be in the Union, there is a conditional derogation if the public sector body explicitly requires otherwise.

  1. Establishment: The provider is established in the Union.
  2. Infrastructure Location: Infrastructure and assets, including those of subcontractors, are located in the Union, unless the public sector body explicitly requires otherwise.
  3. Data Localisation: Customer data, including metadata and telemetry, remains exclusively within the Union, unless the public sector body explicitly requires otherwise.
  4. Subcontracting Controls: If technical and operational support is outsourced outside the Union, legal, technical, and organisational measures must ensure traceability, security, and governance, without compromising operational autonomy.
  5. Cybersecurity: The service complies with state-of-the-art cybersecurity standards.
  6. Transparency: Full transparency around subcontractor use, with due diligence and ongoing oversight.
  7. Vulnerability Reporting: If subject to third-country control, you must guarantee no laws require reporting software vulnerabilities to third-country authorities before they are known to be exploited.

Union Assurance Level 2 Criteria (Annex II, Section 2)

Level 2 removes the "explicit requirement" derogation for infrastructure and data, making Union location mandatory. It also introduces the first major personnel and certification hurdles.

  1. Establishment and Location: Both the provider and subcontractors are established in the Union. Infrastructure, assets, and personnel are located in the Union.
  2. Data Localisation: Customer data remains exclusively within the Union (no derogation).
  3. Personnel Screening (Conditional): If the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider must ensure that personnel meeting those requirements are available. Note: Citizenship is conditional at Level 2; it becomes mandatory at Levels 3 and 4.
  4. Cybersecurity Certification: The service obtains a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881. Until such a scheme is established, national schemes or highest standards apply.
  5. AI Training Data: Data generated by using the service is not used to train or fine-tune any AI system operated by a third country or entity, and is not transferred outside the Union.
  6. Third-Country Control Measures: If subject to third-country control, you must demonstrate measures preventing control from restraining service performance, blocking third-country access to customer data, and preventing service disruption.
  7. Support Location: Technical and operational support is initiated and performed exclusively within the Union.
  8. Software Supply Chain: A complete and up-to-date Software Bill of Materials (SBOM) is documented. Controls block remote features that could tamper with or disrupt devices. Third-country software components are subject to source code audits and migration plans.
  9. Open Source Controls: Controls prevent the use of remote features in open-source software.
  10. Legal Separation: If maintaining a third-country subsidiary, effective legal, technical, and organisational separation from the Union parent company is enforced.

Union Assurance Level 3 Criteria (Annex II, Section 3)

Level 3 introduces significant sovereignty constraints, particularly regarding personnel citizenship and third-country control.

  1. Establishment and Location: Provider and subcontractors are established in the Union. Infrastructure, assets, and personnel are located in the Union.
  2. Data Localisation: Customer data remains exclusively within the Union.
  3. Personnel Citizenship (Mandatory): Personnel, including subcontractors, are Union citizens. Where appropriate, personnel must also have the necessary national security clearance issued by a Member State when handling classified information.
  4. Cybersecurity Certification: At least 'substantial' assurance level under the European scheme.
  5. AI Training Data: Data is not used to train third-country AI systems and is not transferred outside the Union.
  6. Third-Country Control: The provider and subcontractors are not subject to the control of a third country or entity. Exception: By way of derogation, a provider subject to third-country control may be audited for Level 3 where the Commission has adopted an implementing act under Article 18 (not Article 19, as sometimes mis-cited) for that specific third country. If such an act exists, the provider must demonstrate measures preventing control, blocking data access, and preventing disruption.
  7. Support Location: Support is performed exclusively within the Union by Union residents and third parties not subject to third-country control.
  8. Software Supply Chain: SBOM is documented. Third-country software components are subject to source code audits and migration plans. No laws require pre-exploitation vulnerability reporting.
  9. Open Source Controls: Controls prevent remote features in open-source software.
  10. Legal Separation: Effective separation from third-country subsidiaries.

Union Assurance Level 4 Criteria (Annex II, Section 4)

Level 4 is the highest assurance level, designed for the most critical public order activities. It removes the derogation for third-country control entirely.

  1. Establishment and Location: Provider and subcontractors are established in the Union. Infrastructure, assets, and personnel are located in the Union.
  2. Sensitive Data Localisation: Sensitive customer data, identified via risk assessment, remains exclusively within the Union.
  3. Personnel Citizenship (Mandatory): Personnel are Union citizens with necessary national security clearances.
  4. Cybersecurity Certification: At least 'high' assurance level under the European scheme. Note: Only Level 4 requires 'high'; Levels 2 and 3 require 'substantial'.
  5. AI Training Data: Data is not used to train third-country AI systems and is not transferred outside the Union.
  6. Third-Country Control: The provider and subcontractors are not subject to the control of a third country or entity. No derogation is available under Article 18 for Level 4.
  7. Support Location: Support is performed exclusively within the Union by Union residents and third parties not subject to third-country control.
  8. Software Supply Chain: SBOM is documented. The provider must demonstrate effective control over software components, ensuring no third country holds effective control over design, development, maintenance, or evolution.
  9. Open Source Controls: Controls prevent remote features in open-source software.
  10. Legal Separation: Effective separation from third-country subsidiaries.

Step 3: Document Gaps and Scope the Assessment

Once you have mapped your controls, identify gaps where your current state does not meet the criteria. These gaps define the scope of your conformity assessment.

  • For Level 1: You will use this gap analysis to prepare your conformity self-assessment under Article 19. You must issue an EU statement of conformity demonstrating compliance with all Level 1 criteria. The gap analysis serves as your internal evidence base.
  • For Levels 2-4: You will use this gap analysis to scope your independent audit under Article 20. The auditing organisation will assess your compliance against the criteria in Annex II using the evidence listed in Annex III. Your gap analysis should align with the audit evidence requirements, such as providing SBOMs, data flow diagrams, proof of personnel citizenship, and evidence of legal separation from third-country subsidiaries.

What this means for you

For cloud service providers and data centre operators, a rigorous gap analysis is not merely an internal exercise but a prerequisite for market access in the public sector. Under Article 30, public sector bodies must procure services recognised as offering the appropriate Union assurance level based on their risk assessments. If you cannot demonstrate compliance through a self-assessment or audit, you will be excluded from these contracts.

The gap analysis should be treated as a living document. As your service evolves, you must continuously monitor compliance. Article 23 imposes transparency obligations, requiring you to notify the auditing organisation and national competent authority of any material changes that may affect your recognition. Therefore, your gap analysis should feed into a broader compliance management system that tracks changes in infrastructure, personnel, and subcontracting arrangements.

Furthermore, the gap analysis helps you understand the "sovereignty" gap that CADA is designed to fill. Unlike the AI Act, which focuses on the safety of AI systems, CADA focuses on the sovereignty of the infrastructure. Your gap analysis must therefore look beyond technical security to legal ownership, personnel citizenship, and the ability to resist third-country extraterritorial laws.

Common misconceptions

Misconception 1: Meeting Level 1 criteria is sufficient for all public sector contracts. While Level 1 is the minimum requirement for public sector bodies whose activities are not identified as contributing to the preservation of public order (Article 30(2)), many public sector activities will require Levels 2, 3, or 4 based on risk assessments under Article 29. Assuming Level 1 is enough may limit your market opportunity significantly.

Misconception 2: Cybersecurity certification alone satisfies sovereignty requirements. While Levels 2, 3, and 4 require European cybersecurity certification (Annex II, Section 2.1(e)), this is only one criterion. Sovereignty involves data localisation, personnel citizenship, absence of third-country control, and software supply chain transparency. Cybersecurity certification does not address these broader sovereignty concerns.

Misconception 3: Third-country control is only about ownership. Control is defined broadly in Annex III (Audit Criterion G) and includes direct and indirect shareholders, corporate governance, commercial links, and financial links. A provider may be subject to third-country control even if it is legally incorporated in the Union, if a third-country entity exercises decisive influence over strategic decisions.

Misconception 4: Level 3 allows third-country control without conditions. Level 3 generally prohibits third-country control. However, a derogation exists if the Commission adopts an implementing act under Article 18 for a specific third country. This is often confused with Article 19 (which relates to conformity assessment procedures). If no such act exists for your controlling third country, you cannot achieve Level 3.

Misconception 5: Personnel citizenship is required at all levels. Personnel citizenship is conditional at Level 2 (only if the public sector body requires it). It becomes mandatory at Levels 3 and 4. Confusing these thresholds can lead to unnecessary operational costs or failed audits.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.